Enterprise Cloud Security and Governance
eBook - ePub

Enterprise Cloud Security and Governance

  1. 410 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Enterprise Cloud Security and Governance

Book details
Book preview
Table of contents
Citations

About This Book

Build a resilient cloud architecture to tackle data disasters with ease

Key Features

  • Gain a firm grasp of Cloud data security and governance, irrespective of your Cloud platform
  • Practical examples to ensure you secure your Cloud environment efficiently
  • A step-by-step guide that will teach you the unique techniques and methodologies of Cloud data governance

Book Description

Modern day businesses and enterprises are moving to the Cloud, to improve efficiency and speed, achieve flexibility and cost effectiveness, and for on-demand Cloud services. However, enterprise Cloud security remains a major concern because migrating to the public Cloud requires transferring some control over organizational assets to the Cloud provider. There are chances these assets can be mismanaged and therefore, as a Cloud security professional, you need to be armed with techniques to help businesses minimize the risks and misuse of business data.

The book starts with the basics of Cloud security and offers an understanding of various policies, governance, and compliance challenges in Cloud. This helps you build a strong foundation before you dive deep into understanding what it takes to design a secured network infrastructure and a well-architected application using various security services in the Cloud environment.

Automating security tasks, such as Server Hardening with Ansible, and other automation services, such as Monit, will monitor other security daemons and take the necessary action in case these security daemons are stopped maliciously. In short, this book has everything you need to secure your Cloud environment with. It is your ticket to obtain industry-adopted best practices for developing a secure, highly available, and fault-tolerant architecture for organizations.

What you will learn

  • Configure your firewall and Network ACL
  • Protect your system against DDOS and application-level attacks
  • Explore cryptography and data security for your cloud
  • Get to grips with configuration management tools to automate your security tasks
  • Perform vulnerability scanning with the help of the standard tools in the industry
  • Learn about central log management

Who this book is for

If you are a Cloud security professional who wants to ensure Cloud security and data governance irrespective of the environment, then this book is for you. Basic understanding of working on any Cloud platforms is beneficial.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Enterprise Cloud Security and Governance by Zeal Vora, Adrian Pruteanu in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2017
ISBN
9781788298513
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Server Hardening

Server hardening is a step-by-step approach to secure an operating system and hence reduce the overall surface area for vulnerabilities.
Linux comes with a great set of inbuilt tools, such as iptables, SELinux, PAM, and auditd, that can be used in conjunction with external open source tools, such as OSSEC, LUKS, and Spacewalk to achieve a high level of security posture of any organization.
Just implementing a single set of tools cannot ensure security. We have to use various sets of tools to achieve a particular use case, and in the end, we will have many tools working together to ensure an effective security posture of your server.
Let's look at an example to understand this better. Nowadays, most cars come with a seat belt as a safety feature. However, the driver can choose not to wear the seat belt. Hence, the overall functionality of having a seat belt can be lost if it is not utilized.
Thus, we have many new safety features such as airbags that are now becoming mandatory in vehicles to ensure additional safety.
Similarly, Linux OS comes with plenty of tools that can enhance security, but if the system administrator decides to allow 0.0.0.0/0 in the firewall and decides to disable SELinux, then the overall security functionality that makes Linux so powerful is lost.
In this chapter we will be discussing Linux specific security aspects, which begins with various principles of host based security followed by auditing frameworks such as auditd, discretionary access controls (DAC), centralized authentication with IPA and SAML based approach for SSO followed by HIDS and hardening image based approach.

The basic principle of host-based security

There is a certain set of basic security principles that should be followed in an organization, which, in turn, will lead to an effective security posture that will eventually protect against security-related attacks. We have divided them into three major sections, as follows:
  • Only run the necessary services: This is one of the important aspects to follow. Only run services that are necessary and remove all the unnecessary services from the system. We also need to make sure that the services running do not have any security vulnerabilities associated with them.
  • Separate server by function: This is a mandatory requirement for PCI DSS. It mandates that each server should serve a single purpose. If you have a single large server to manage your workload and if it gets compromised, then all services within this server will be compromised.
This is the reason why we should always have a separate server for each individual function; for example, a single server should not act as a Web Server, App Server, and Database. There should be three separate servers for each service. This is further explained in the transition diagram shown here:
  • The principle of least privilege: Many system administrators assume that the principle of least privilege means that they should only give access to users who have a valid business requirement of the server. However, when we talk about enterprise-grade security, it is not just about users; even the process should be properly confined.
Let's look at a few scenarios to understand it:
  • Only allow users to run a command, which they need to complete the work.
  • A developer wants to access an application server to check the logs. In order to check the logs, he would typically need commands, such as less, tail, and vim. In such cases, he should only be able to run commands such as tail and vim and should not be able to run commands such as netstat, getent passwd, or netstat -ntlp.
  • In a Linux system, a user with even basic login privileges will be able to run commands, such as getent passwd or netstat. This becomes more challenging especially if there are any executables with the SetUID bit set. We will discuss in detail about SetUID in the upcoming section.
We have created a user named test-user and tried to enumerate what a normal user can do:
$ test-user@kplabs : getent passwd 
root:x:0:0:root:/root:/bin/bash
arun:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
elasticsearch:x:120:130::/home/elasticsearch:/bin/false
zeal:x:1002:1002::/home/zeal:
manoj:x:1003:1003::/home/zeal:
  • Restrictions on process access to files: You are running Apache as a web server, which serves the files from the /var/www/html folder. As a principle of least privilege, the process of Apache should only be able to access the /var/www/html directory and has no need to access all the other directories, such as /home or /root. Appropriate restrictions should be applied to ensure this.
We will discuss more how this can be achieved in the SELinux section.

Keeping systems up-to-date

All software contains bugs. Thus, in a general scenario, the software patches are available almost every day for most operating systems. Some of the patches might fix the security vulnerability; however, some updates might just enhance the functionality of the software. When the security patches are made available, we need to make sure that they are applied to the systems as soon as possible.
Let's understand the Windows-based approach for updates and then we will move on to a Linux-based server.

The Windows update methodology

In a Windows-based system, we generally get notifications related to the pending updates via Windows Update Center. It also further classifies the updates based on various categories, depending on the update, as follows:
  • Critical updates
  • Security update
  • Definition update
  • Feature pack
This gives an overview to the user regarding whether he should install the updates immediately or not. For example, A user might install critical updates and security updates whenever available, while updating the feature pack-based updates only once a month.

The Linux update methodology

In RedHat-based systems, the software is packaged in terms of files called an RPM package. Each of the RPM files has a name associated with it that reveals key information. This is the full name of the Apache package available in the CentOS repository that can be divided into three sections:
httpd-2.4.6-45.el7.centos.4.x86_64.rpm
Package name : httpd 
Package Version : 2.4.6-45 
OS : el7 
Hardware Architecture : x86_64
This gives us generic information that the particular httpd package is of version 2.4.6.45 and is a part of the CentOS 7-based repository and compatible with the x86-64 based architecture.
Now that we understa...

Table of contents

  1. Title Page
  2. Copyright
  3. Credits
  4. About the Author
  5. About the Reviewer
  6. www.PacktPub.com
  7. Customer Feedback
  8. Preface
  9. The Fundamentals of Cloud Security
  10. Defense in Depth Approach
  11. Designing Defensive Network Infrastructure
  12. Server Hardening
  13. Cryptography Network Security
  14. Automation in Security
  15. Vulnerability, Pentest, and Patch Management
  16. Security Logging and Monitoring
  17. First Responder
  18. Best Practices